The Hive ransomware-as-a-service (RaaS) operation first emerged in June 2021 and has aggressively targeted the health and public health sector (HPH) and continues to do so. From June 2021 until November 2022, the group conducted attacks on more than 1,300 organizations worldwide, generating more than $100 million in ransom payments.
Victims in the HPH sector include the public health system in Costa Rica, Partnership HealthPlan of California, Memorial Health System, Missouri Delta Medical Center, Southwell, Hendry Regional Medical Center, and Lake Charles Memorial Health System, with the latter currently recovering from the attack that occurred this month. The attacks put patient safety at risk and have forced hospitals to divert ambulances, cancel surgeries, postpone appointments, and close urgent care units.
On November 17, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint alert to the HPH sector warning about the risk of attacks and shared Indicators of Compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) used by the group, along with recommended mitigations for blocking, detecting, and mitigating attacks.
Hive has sophisticated capabilities, engages in double extortion tactics, and publicly releases stolen data on its leak site when victims refuse to pay the ransom. The group has been known to reinfect victims that have attempted to recover without paying the ransom. As a RaaS operation, affiliates are recruited to conduct attacks on behalf of the gang for a cut of the ransom payments they generate, with the affiliates having areas of expertise for gaining access to victims’ networks.
The most common methods used for initial access are exploiting vulnerabilities in Remote Desktop Protocol (RDP) and other remote network connection protocols, compromising Virtual Private Networks (VPNs), conducting phishing attacks using malicious attachments, and exploiting unpatched vulnerabilities, including the CVE-2020-12812 vulnerability to access FortiOS servers, and the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, CVE-2021-34523.
Once access to networks has been gained, the group identifies processes related to backups, antivirus/anti-spyware, and file copying, and terminates those processes. Volume shadow copy services are stopped and all existing shadow copies are deleted, and Windows event logs are deleted, specifically the System, Security, and Application logs. Prior to encryption, virus definitions are removed and all portions of Windows Defender and other common antivirus programs are disabled in the system registry, and sensitive data is exfiltrated using Rclone and the cloud storage service Mega.nz. The group operates a live chat service to engage with victims and has also been known to contact victims by phone and email to discuss payment. Ransom demands can be considerable, ranging from several thousand to millions of dollars.
Healthcare organizations are urged to read the joint security alert, monitor their systems using the provided IoCs, harden defenses against the identified TTPs, and implement the recommended mitigations.
The post Feds Issue Warning to HPH Sector About Aggressive Hive Ransomware Group appeared first on HIPAA Journal.